[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/, policy/modules/roles/

Jason Zaman Sat, 20 Nov 2021 19:00:14 -0800

commit:     280eb10e71337401487dd51dc3cb9243b16be783
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sun Aug  8 16:54:41 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 20 22:58:24 2021 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=280eb10e


cryfs, roles: use user exec domain attribute

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/apps/cryfs.if   | 31 +++++++++++++++++++++++--------
 policy/modules/roles/sysadm.te |  2 +-
 2 files changed, 24 insertions(+), 9 deletions(-)

diff --git a/policy/modules/apps/cryfs.if b/policy/modules/apps/cryfs.if
index 300a00ad..d0bece91 100644
--- a/policy/modules/apps/cryfs.if
+++ b/policy/modules/apps/cryfs.if
@@ -4,18 +4,29 @@
 ## <summary>
 ##     Role access for CryFS.
 ## </summary>
-## <param name="role">
+## <param name="role_prefix">
 ##     <summary>
-##     Role allowed access.
+##     The prefix of the user role (e.g., user
+##     is the prefix for user_r).
 ##     </summary>
 ## </param>
-## <param name="domain">
+## <param name="user_domain">
 ##     <summary>
 ##     User domain for the role.
 ##     </summary>
 ## </param>
+## <param name="user_exec_domain">
+##     <summary>
+##     User exec domain for execute and transition access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     Role allowed access
+##     </summary>
+## </param>
 #
-interface(`cryfs_role',`
+template(`cryfs_role',`
        gen_require(`
                attribute_role cryfs_roles;
                type cryfs_t, cryfs_exec_t;
@@ -26,15 +37,19 @@ interface(`cryfs_role',`
        # Declarations
        #
 
-       roleattribute $1 cryfs_roles;
+       roleattribute $4 cryfs_roles;
 
        ########################################
        #
        # Policy
        #
 
-       domtrans_pattern($2, cryfs_exec_t, cryfs_t)
+       domtrans_pattern($3, cryfs_exec_t, cryfs_t)
 
-       allow $2 cryfs_t:process signal_perms;
-       ps_process_pattern($2, cryfs_t)
+       allow $3 cryfs_t:process signal_perms;
+       ps_process_pattern($3, cryfs_t)
+
+       optional_policy(`
+               systemd_user_app_status($1, cryfs_t)
+       ')
 ')

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 44b80516..d5d61098 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1230,7 +1230,7 @@ ifndef(`distro_redhat',`
        ')
 
        optional_policy(`
-               cryfs_role(sysadm_r, sysadm_t)
+               cryfs_role(sysadm, sysadm_t, sysadm_application_exec_domain, 
sysadm_r)
        ')
 
        optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/, policy/modules/roles/

Reply via email to